System And Information Integrity
Use threat indicator information relevant to the information and systems being protected and effective mitigations obtained from external organizations to inform intrusion detection and threat hunting.
When conducting cyberattacks the attackers tend to operate using certain patterns of behavior or exploit capabilities. This collection of patterns and capabilities are known as Tactics, Techniques, and Procedures (TTP). An organization can build their knowledge of attacker TTPs by participating in Information Sharing and Analysis Centers (ISAC) for their industry. An ISAC collects cyber threat information relevant to the industry and its members in order to improve the cyber posture of that industry. Based on the lines of business an organization may consider more than one ISAC. An organization may also acquire TTPs through commercial providers in order to integrate into various technologies. Example You are the manager of the Security Operations Center (SOC) and have recently added a role to perform cyber threat hunting. You have been tasked to set up the process for the SOC. You first identify relevant sources of threat information for the organization. You have the organization join the National Defense ISAC and begin to interact with peers in the ISAC. You capture events in your organization and share the TTPs with your peers. In return, they share new TTPs with you. After downloading the TTPs, you build queries against the SOC’s central repository for recurring searches. You also acquire a commercial threat indicator feed of suspicious domains, known malware hashes, and IP addresses. You use these to supplement a custom intrusion detection system. ADDITIONAL READING National Council of ISACs: https://www.nationalisacs.org/ATT&CK: https://attack.mitre.org/ NIST Special Publication 800-150: Guide to Cyber Threat Information Sharing: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf Homeland Security Systems Engineering & Development Institute Cyber Threat Modeling: https://www.mitre.org/sites/default/files/publications/pr_18-1174-ngci-cyber-threatmodeling.pdf
DRAFT NIST SP 800-171B The constantly changing and increasing sophistication of adversaries, especially the advanced persistent threat (APT), make it essential that threat information relating to specific threat events (e.g., TTP, targets) that organizations have experienced, mitigations that organizations have found are effective against certain types of threats, and threat intelligence (i.e., indications and warnings about threats that can occur) be sourced from and shared with trusted organizations. This information can be used by organizational Security Operations Centers (SOC) and incorporated into monitoring capabilities. Threat information sharing includes threat indicators, signatures, and adversary TTP from organizations participating in various threat-sharing consortia, government-commercial cooperatives, and government-government cooperatives (e.g., CERTCC, US-CERT, FIRST, ISAO, DIB CS Program). Unclassified indicators, based on classified information but which can be readily incorporated into organizational intrusion detection systems, are available to qualified nonfederal organizations from government sources.
NIST CSF v1.1 ID.RA-2, ID.RA-3
Draft NIST SP 800-171B 3.14.6e